IIS 7 and Above
IIS 7.5 stops using machine account to connect to network resource wh...
Last post Feb 17, 2012 12:34 AM by ccorkrum1979
Mar 04, 2011 03:03 PM|nub_340|LINK
cscript.exe C:\windows\System32\iisweb.vbs /stop www.sitename.com /s SERVERNAME
cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs STOP_SERVER W3SVC/AppPools/APPPOOLNAME -s:SERVERNAME
cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs START_SERVER W3SVC/AppPools/APPPOOLNAME -s:SERVERNAME
cscript.exe C:\windows\System32\iisweb.vbs /start www.sitename.com /s SERVERNAME
Application Pool Identity
Mar 04, 2011 08:57 PM|HCamper|LINK
Since your looking for suggestion(s).
I suggest you considered looking at State / Status as a problem.
Your stop scripts might include a wait() for individual services or servers.
Your scripts might be include a status check.
Your start scripts might include a wait() time that would allow other services to catch up.
Check the IIS Server log for status codes
Mar 07, 2011 09:58 PM|Leo Tang - MSFT|LINK
Thanks for posting. You may also consider specify the path credentials instead of use pass-through authentication(Basic Settings...->Connect as...). In this way, the a specific account will be used to connect to the network share.
Mar 08, 2011 02:38 PM|nub_340|LINK
Mar 31, 2011 01:42 PM|nub_340|LINK
Mar 31, 2011 02:42 PM|HCamper|LINK
Question did you create state() diagram for any of the server status?
I will try with "Best Effort" to show what might be the important to look at.
Check the IIS Server log for status codes
Use the Icacls command
MS Support http://support.microsoft.com/kb/919240 KB919240 information.
Reference http://en.wikipedia.org/wiki/Cacls .
Jan 05, 2012 11:18 AM|AlanR54NC|LINK
We to are having the same issue as described in this article, and so far no resolution. Was a solution determinded for the original issue ? Our environment is a IIS 7.5 shared hosting service for company internal websites. Each site runs in its own app pool
and we have a mix of .Net 2.0 thru 4.0 hosted applications.
Thanks for any updates, clues, solutions
Jan 05, 2012 12:42 PM|nub_340|LINK
Jan 05, 2012 01:27 PM|AlanR54NC|LINK
Thanks for the update. We have opened a ticket with MS,but was hoping to save some time if you already had a "fix". We are just getting started with the data collection. We have the same website running on a server, but in different app pools.One works fine
and the other is not passing the credentials so we can recreate the issue on demand (until we reboot). If we make any progress I will post back here. I will also provide this forum item to our MS resource in case they would like to compare notes with your
Jan 06, 2012 03:07 PM|AlanR54NC|LINK
We have opened a problem ticket with MS and are in the data collection phase,no solution yet. However, if you are seeing this same problem and woudl like to reference our ticket to provide more examples; you may reference case #112010662771698.
Jan 25, 2012 01:06 PM|Foxer|LINK
What have you guys been doing in the mean time? Are you just restarting the servers? We've been contemplating using a different account for the app pool identity, but haven't done anything yet.
Jan 27, 2012 01:43 AM|kctt|LINK
There should be some entry in Event log about the error.
It could be some kind of permission messed up after server working for some time.
Jan 31, 2012 03:43 PM|Foxer|LINK
I talked to MS support and after a long phone call they directed me to a hotfix (KB2545850). It looks like there is an issue with the computer account changing, and then when you reset IIS it fails to authenticate with the machine account.
After initial testing is seemed like this was working, however additional testing was inconclusive. I'm going to wait to see if there are any more errors in the next couple of weeks, and if not I'm going to assume that this fix did in fact work.
I'd be interested to see if anyone else is able to solve this issue using this hotfix.
Jan 31, 2012 09:19 PM|AlanR54NC|LINK
Yes. We were directed to that same patch and so far, so good. we were able to recreate the issue on demand using a reg hack from MS. Issue has disappeared. We have applied the patch to several nonproduction servers, and while still a little early, no side
effects or recurrances of the problem.
Feb 01, 2012 09:59 AM|Foxer|LINK
Feb 03, 2012 02:38 PM|nub_340|LINK
Feb 03, 2012 09:08 PM|Rovastar|LINK
Looking at this thread it looks a little like an issue I got with apppoolidentity
but it depends on what 500 error you got.
TBH those "undocumented" features it put me off using app pool identity and I just stick to network service or if I really need to have more security just create separate users for the identities.I really don't understand the true need for that account.
In my experience it doesn't always work nicely with .net.
Feb 15, 2012 01:07 PM|nub_340|LINK
Feb 17, 2012 12:34 AM|ccorkrum1979|LINK
I ran across this thread looking for something else but I am also using a web farm and haven't noticed any issues with authentication. I actually ran into this trying to compare my setup to others. I currently have 4 servers 2 IIS and 2 File/DFS servers
all domain joined. Most of the content is static but as for permissions on the DFS NS and content links I am using Authenticated Users Full Control on the share, NTFS Authenticated Users with list data on this subfolder only and Administrators, SYSTEM Full
Control, and WebFarmUser (Domain Account) Read. For the AppPools I'm using AppPoolIdentity, Authentication I am using the AppPoolIdentity, and using Path Credentials when connecting to the UNC path. The WebFarmUser was also added to IIS_IUSR group on each
web node. I haven't brought into the mix FTP and WebDAV yet and that is how I stumbled on the thread seeing if my setup will work, Only thing I have noticed was people using the WebFarmUser as the AppPoolIdentity or Network Service, but not knowing much about
share permissions and everything working as is maybe I'm already on the right track?